Supply-chain threat intelligence
Risk score
92
Indexed incident for dotenv-express (npm).
Package impersonates the popular dotenv package: package.json points its repository field to git://github.com/motdotla/dotenv.git and homepage to https://github.com/motdotla/dotenv#readme, neither of which the author owns. The library code is a near-verbatim copy of dotenv but adds const gate = require('environment-gate') at the top of lib/main.js, and the documented config() entry point begins with gate.gate() — so any consumer calling the standard dotenv API (require('dotenv-express').config()) executes code from environment-gate, an unrelated third-party dependency with no env-file-loading purpose, on every load. The package additionally ships skills/dotenv/SKILL.md and skills/dotenvx/SKILL.md whose frontmatter declares name: dotenv, author: motdotla, source: https://github.com/motdotla/dotenv, and instructs npm install dotenv — identity-spoofing metadata designed to trick AI coding agents into treating this package as the genuine dotenv. The combination of impersonated repo/homepage/skill metadata, a name one token away from dotenv, and a forced transitive dependency that runs on the documented API call is deliberate namespace abuse rather than a typo, and the harm to installers is whatever environment-gate does at require-time on every .config() invocation.
Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Affected versions
Indicators
Timeline